Skip to content
Snippets Groups Projects
Normal view Permalink
tls.go 2.28 KiB
Newer Older
  • Learn to ignore specific revisions
    • Malte Bauch's avatar
    Move tls generation functions and data into own package
    Malte Bauch committed
    1 2 3 4 5 6 7 8 
    package kmstls

import (
	"crypto/tls"
	"crypto/x509"
	"fmt"
	"os"
    Neil-Jocelyn Schark's avatar
    Rework flags and tls config and enable one cert per endpoint  
    Neil-Jocelyn Schark committed
    9 
    	"code.fbi.h-da.de/danet/quant/goKMS/config"
    Malte Bauch's avatar
    Move tls generation functions and data into own package
    Malte Bauch committed
    10 
    	"google.golang.org/grpc/credentials"
    Fabian Seidl's avatar
    Reduce complexity of key forwarding methods  
    Fabian Seidl committed
    11 
    	"google.golang.org/grpc/credentials/insecure"
    Malte Bauch's avatar
    Move tls generation functions and data into own package
    Malte Bauch committed
    12 13 
    )
    Neil-Jocelyn Schark's avatar
    Adding tls support for akms-ckms client and server  
    Neil-Jocelyn Schark committed
    14 
    func GenerateGRPCServerTransportCredsBasedOnTLSFlag(tlsConfig config.TLSConfig) (credentials.TransportCredentials, error) {
    Fabian Seidl's avatar
    Reduce complexity of key forwarding methods  
    Fabian Seidl committed
    15 
    	var gRPCTransportCreds credentials.TransportCredentials
    Neil-Jocelyn Schark's avatar
    Adding tls support for akms-ckms client and server  
    Neil-Jocelyn Schark committed
    16 17 
    	if tlsConfig.Active {
		tlsLibraryConfig, err := GenerateServerTLSLibraryConfig(tlsConfig)
    Fabian Seidl's avatar
    Reduce complexity of key forwarding methods  
    Fabian Seidl committed
    18 19 20 21 
    		if err != nil {
			return nil, err
		}
    Neil-Jocelyn Schark's avatar
    Adding tls support for akms-ckms client and server  
    Neil-Jocelyn Schark committed
    22 
    		gRPCTransportCreds = credentials.NewTLS(tlsLibraryConfig)
    Fabian Seidl's avatar
    Reduce complexity of key forwarding methods  
    Fabian Seidl committed
    23 24 25 26 27 28 29 
    	} else {
		gRPCTransportCreds = insecure.NewCredentials()
	}

	return gRPCTransportCreds, nil
}
    Neil-Jocelyn Schark's avatar
    Adding tls support for akms-ckms client and server  
    Neil-Jocelyn Schark committed
    30 
    func GenerateServerTLSLibraryConfig(tlsConfig config.TLSConfig) (*tls.Config, error) {
    Malte Bauch's avatar
    Move tls generation functions and data into own package
    Malte Bauch committed
    31 
    	cp := x509.NewCertPool()
    Neil-Jocelyn Schark's avatar
    Adding tls support for akms-ckms client and server  
    Neil-Jocelyn Schark committed
    32 
    	b, err := os.ReadFile(tlsConfig.CAFile)
    Malte Bauch's avatar
    Move tls generation functions and data into own package
    Malte Bauch committed
    33 34 35 36 37 38 39 40 
    	if err != nil {
		return nil, err
	}

	if !cp.AppendCertsFromPEM(b) {
		return nil, fmt.Errorf("credentials: failed to append certificates")
	}
    Neil-Jocelyn Schark's avatar
    Adding tls support for akms-ckms client and server  
    Neil-Jocelyn Schark committed
    41 
    	cert, err := tls.LoadX509KeyPair(tlsConfig.CertFile, tlsConfig.KeyFile)
    Malte Bauch's avatar
    Move tls generation functions and data into own package
    Malte Bauch committed
    42 43 44 45 
    	if err != nil {
		return nil, err
	}
    Neil-Jocelyn Schark's avatar
    Adding tls support for akms-ckms client and server  
    Neil-Jocelyn Schark committed
    46 
    	return &tls.Config{
    Malte Bauch's avatar
    Move tls generation functions and data into own package
    Malte Bauch committed
    47 48 49 50 
    		MinVersion:   tls.VersionTLS13,
		ClientCAs:    cp,
		Certificates: []tls.Certificate{cert},
		ClientAuth:   tls.RequireAndVerifyClientCert,
    Neil-Jocelyn Schark's avatar
    Adding tls support for akms-ckms client and server  
    Neil-Jocelyn Schark committed
    51 
    	}, nil
    Malte Bauch's avatar
    Move tls generation functions and data into own package
    Malte Bauch committed
    52 53 
    }
    Fabian Seidl's avatar
    Reduce complexity of key forwarding methods  
    Fabian Seidl committed
    54 55 
    func GenerateGRPCClientTransportCredsBasedOnTLSFlag(tlsConfig config.TLSConfig) (credentials.TransportCredentials, error) {
	var gRPCTransportCreds credentials.TransportCredentials
    Neil-Jocelyn Schark's avatar
    Resolve "Allow SSL config per QuantumModule and per interKMS"  
    Neil-Jocelyn Schark committed
    56 
    	if tlsConfig.Active {
    Neil-Jocelyn Schark's avatar
    Adding tls support for akms-ckms client and server  
    Neil-Jocelyn Schark committed
    57 
    		tlsLibraryConfig, err := GenerateTLSLibraryConfig(tlsConfig)
    Fabian Seidl's avatar
    Reduce complexity of key forwarding methods  
    Fabian Seidl committed
    58 59 60 61 
    		if err != nil {
			return nil, err
		}
    Neil-Jocelyn Schark's avatar
    Adding tls support for akms-ckms client and server  
    Neil-Jocelyn Schark committed
    62 
    		gRPCTransportCreds = credentials.NewTLS(tlsLibraryConfig)
    Fabian Seidl's avatar
    Reduce complexity of key forwarding methods  
    Fabian Seidl committed
    63 64 65 66 67 68 69 
    	} else {
		gRPCTransportCreds = insecure.NewCredentials()
	}

	return gRPCTransportCreds, nil
}
    Neil-Jocelyn Schark's avatar
    Adding tls support for akms-ckms client and server  
    Neil-Jocelyn Schark committed
    70 
    func GenerateTLSLibraryConfig(tlsConfig config.TLSConfig) (*tls.Config, error) {
    Malte Bauch's avatar
    Move tls generation functions and data into own package
    Malte Bauch committed
    71 72 
    	cp := x509.NewCertPool()
    Neil-Jocelyn Schark's avatar
    Adding tls support for akms-ckms client and server  
    Neil-Jocelyn Schark committed
    73 
    	b, err := os.ReadFile(tlsConfig.CAFile)
    Malte Bauch's avatar
    Move tls generation functions and data into own package
    Malte Bauch committed
    74 75 76 77 78 79 80 
    	if err != nil {
		return nil, err
	}
	if !cp.AppendCertsFromPEM(b) {
		return nil, fmt.Errorf("credentials: failed to append certificates")
	}
    Fabian Seidl's avatar
    Reduce complexity of key forwarding methods  
    Fabian Seidl committed
    81 
    	cert, err := tls.LoadX509KeyPair(tlsConfig.CertFile, tlsConfig.KeyFile)
    Fabian Seidl's avatar
    move TLS config generation in new TLS package  
    Fabian Seidl committed
    82 83 84 85 86 
    	if err != nil {
		return nil, err
	}

	return &tls.Config{
    Malte Bauch's avatar
    Add additional TLS config option: InsecureSkipVerify  
    Malte Bauch committed
    87 88 89 90 
    		MinVersion:         tls.VersionTLS13,
		RootCAs:            cp,
		Certificates:       []tls.Certificate{cert},
		InsecureSkipVerify: tlsConfig.InsecureSkipVerify,
    Fabian Seidl's avatar
    move TLS config generation in new TLS package  
    Fabian Seidl committed
    91 92 
    	}, nil
}